1. Field of the Invention
This invention relates to the distribution of encrypted data objects over a broadcast channel, specifically to a cryptographic mechanism for resisting the unauthorized access to such data objects.
A data object may be any discernible packet of useful information bearing indicia (e.g., machine readable media or signals representing computer programs, songs, music, data, news, and the like).
A broadcast channel is a communication channel in any media in which data objects are broadcast to many potential users rather than sent to each user individually, examples of which include laser discs, CD-ROM, diskettes, TV-cables, and radio broadcasts. In the case of laser discs, CD-ROM and diskettes, though the physical devices themselves might be sent to users individually, the data objects contained therein are identical for all users and therefore satisfy the definition of "broadcast."
2. Related Art
Ensuring that access to broadcast information is restricted to those who have the necessary authorization requires the use of cryptographic techniques.
Though data object distribution by broadcast suffers from many of the potential abuses of other forms of software distribution (e.g., see U.S. Pat. No. 4,658,093, "Software Distribution System" to Hellman, M., April 1987), the use of a broadcast channel introduces many new challenges. Among the most pressing is that of allowing an authorized user to decrypt an object and yet preventing the authorized user from passing on the knowledge of how to decrypt such objects to the benefit of some unauthorized user.
In many systems there is no absolute protection against the redistribution of decrypted objects (albeit there may be legal copyright protect the data object per se). However, we are also concerned about the distribution (e.g., on computer bulletin boards) of much shorter blocks of information than the objects themselves, this short information, perhaps the decryption key, allowing unauthorized access to one or more data objects.
Heretofore, attempted solutions to such problems have been provided by the predominant use of tamper-resistant hardware techniques (e.g., for storing decryption key data). See, for example:
U.S. Pat. No. 4,433,207, "Cryptographic Decoder for Computer Programs," February 1984 PA1 U.S. Pat. No. 4,683,553, "Method and Device for Protecting Software Delivered to a User by a Supplier," July 1987 PA1 U.S. Pat. No. 4,683,968, "System for Preventing Software Piracy Employing Multi-Encrypted Keys and Single Decryption Circuit Modules," August 1987 PA1 U.S. Pat. No. 4,817,140, "Software Protection System Using a Single-Key Cryptosystem, A Hardware-Based Authorization System and a Secure Co-Processor," March 1989 PA1 U.S. Pat. No. 4,907,273, "High Security Pay Television System," March 1990 PA1 U.S. Pat. No. 5,010,571, "Metering Retrieval of Encrypted Data Stored in Customer Data Retrieval Terminal," April 1991 PA1 U.S. Pat. No. 5,050,213, "Database Usage Metering and Protection System and Method," September 1991 PA1 U.S. Pat. No. 5,058,162, "Method of Distributing Computer Data Files," October 1991 PA1 U.S. Pat. No. 5,191,611, "Method and Apparatus for Protecting Material on Storage Media and for Transferring Material on Storage Media to Various Recipients," March 1993 PA1 1. The decrypting unit contains some identifying information which must be kept secret from the user and only invoked when authorization to access the object is given. This information must be kept in a tamper-proof environment, something which is difficult to successfully implement, as evidenced by the problems with piracy experienced by cable TV systems that rely on such environments. PA1 2. Each user is forced to possess dedicated, uniquely identifiable hardware. Thus, the great advantages of data distribution by a broadcast medium, that is, the cheap manufacturing and distribution costs, have been countered by the expensive manufacture and involved distribution of decrypting units. PA1 3. Should the user compromise the physical security of the decrypting unit, the user can extract and then anonymously distribute decryption information. This then allows other users to gain unauthorized access to the encrypted objects via information much shorter than the objects themselves. Thus, not only has the system been compromised, but it is notoriously difficult to identify the offenders. PA1 1. Decryption units need contain no identifying information that must be kept secret. The entire decryption process can, if desired, be carried out using software, perhaps on the user's computer, without any additional hardware. PA1 2. Each user may possess identical hardware. Thus the cost of the decrypting unit is reduced and the distribution of decrypting units is facilitated. PA1 3. Redistribution of decryption information is no longer an issue. Since the decryption information is effectively as long as an object, a user may as well redistribute the object itself. PA1 4. A large part of the decryption information is totally independent of the object and the user; only a small part is object-specific. The large part may therefore be distributed in advance by inexpensive means. The user decides later to access any specific object with the large part. The small additional part is then distributed to the user, e.g., by phone. PA1 5. An ideal environment for a sophisticated billing procedure is provided which is directly related to the objects the user buys.
Some of these prior attempted solutions require that the hardware unit on which decryption takes place has a unique cryptographic key attached (and securely retained therein). For example, in U.S. Pat. No. 4,433,207, such a key is referred to as a "permit code" and in U.S. Pat. No. 5,010,571 it is referred to as the "unit key." In U.S. Pat. No. 4,683,553, it is referred to as a "secret code." We refer to such a key that is unique to the decrypting unit as the unit key, though we shall only need this term when discussing the prior art.
The unit key is typically kept in a tamper-proof environment within the decrypting unit. Since the signal sent to the decrypting unit by the distributor can only be used by the specified decrypting unit, it is of no value to other users with different decryption units.
In other systems, a so-called "smart card" controls access to the data objects (see, e.g., U.S. Pat. No. 4,757,534, "Code Protection Using Cryptography," July 1988). Still others involve some form of run-time "software licensing" that does not necessarily encrypt data objects but which prevents their use on unauthorized computers (see, e.g., U.S. Pat. No. 4,888,798, "Modular Software Security," December 1989).
Among the drawbacks to prior systems are the following: